Skip to content

Avoid Docker firewall policy bypass#82

Draft
nekohasekai wants to merge 1 commit into
devfrom
codex/propose-fix-for-docker-firewall-policy-bypass
Draft

Avoid Docker firewall policy bypass#82
nekohasekai wants to merge 1 commit into
devfrom
codex/propose-fix-for-docker-firewall-policy-bypass

Conversation

@nekohasekai

Copy link
Copy Markdown
Member

Motivation

  • Prevent auto-redirect from weakening host Docker firewall policy by inserting unconditional ACCEPT rules into Docker's DOCKER-USER chain.
  • Ensure sing-tun only removes its own compatibility rules (cleanup) rather than auto-creating broad allow rules that can bypass administrator rules.

Description

  • Stop automatic Docker firewall monitoring/configuration during nftables setup by removing the startDockerFirewallMonitor() / configureDockerFirewall(false) calls in setupNFTables() (redirect_nftables.go).
  • Change reconciliation logic so reconcileDockerFirewallRules no longer inserts ACCEPT rules and instead only removes existing sing-tun compatibility rules by delegating to cleanupDockerFirewallRules (redirect_nftables_docker.go).
  • Adjust the reconciliation function signature usage to ignore table/chain parameters when not needed to avoid inserting rules into DOCKER-USER.
  • Add regression tests in redirect_nftables_docker_test.go that verify reconciliation does not queue insertions and that existing compatibility rules are cleaned up.

Testing

  • Ran go test ./... and all tests passed, including the new TestDockerFirewallReconcileDoesNotInsertAcceptRules and TestDockerFirewallReconcileCleansExistingCompatibilityRules which succeeded.

Codex Task

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant